Amazon_S3_13

Ensure S3 buckets should not have world-writable permission from anonymous users

Description

AWS S3 buckets cannot be publicly accessed for WRITE actions in order to protect your S3 data from unauthorized users. An S3 bucket that allows WRITE (UPLOAD/DELETE) access to everyone (i.e. anonymous users) can provide attackers the capability to add, delete and replace objects within the bucket, which can lead to S3 data loss or unintended charges on your AWS bill.

Remediation

There are two methods to remove world access to your S3 bucket :

A. To Remove ACL access permissions for an S3 bucket which is world writable:

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. In the Bucket name list, choose the name of the bucket that you want to set permissions for.
  3. Choose Permissions.
  4. In the public access section click on the Everyone check box.
  5. Uncheck the Write objects.
  6. Click on save.

B. Perform the following steps to modify the policy :

  1. Sign in to the AWS Management Console.
  2. Navigate to S3 dashboard at https://console.aws.amazon.com/s3/.
  3. Select the S3 bucket that you want to examine and click the Permissions tab.
  4. Inside the Permissions click on Bucket policy tab.
  5. Now Edit bucket policy to access the bucket policy currently used.
  6. In the Bucket Policy Editor dialog box, verify the Effect and Principal policy elements. Effect describes the permission effect that will be used when the user requests the action(s) defined in the policy – the element value can be either Allow or Deny. The Principal is the account or the user that has access to the actions and resources declared in the policy statement. If the Effect element value is set to Allow Put actions and the Principal element value is set to “*” (i.e. everyone) or {“AWS”: “*”}, the selected S3 bucket is publicly accessible unless there is a Condition element, and can be marked as insecure.
  7. Change the Principal value which is “*” to Principal element specifying the user, account, service, or other entity that should be allowed or denied access to a resource.
  8. Repeat steps no. 3 &ndash

Service

S3

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!